Our contribution

In 2012, Qiang Li et al.[24] put forward a scheme with fine-grained attribute revocation. However, the scheme only achieves the attribute revocation, the keyword search is not involved, this problem may lead to the problem that system users cannot effectively download cipher text which they interested from the cloud server.

In this paper, we propose a keyword search attribute based encryption scheme with attribute revocation. The new scheme supports not only the attribute revocation but also keyword search. When a user wants to search the file which he interests, he sends the search token to the cloud server, and the cloud server runs the test algorithm. If the test is successful, it returns the file. In this way, the user can download the file which he interests and save the storage space at the same time. Finally, under the assumption of q-BDHE and DDH in the selective security model, we prove that our scheme is secure.

Linear Secret-Sharing Scheme (LSSS) [25]

A linear secret sharing scheme includes two algorithms:

Share: In this step, it is dispersing the secret value s to attributes specified by ρ as follows: by selecting ,setting and computing where M_i is the ith row of M,it assigns secrets share λ_i to the attribute ρ(i).

Combine: In this step, it is used to collect the secret value from secret shares which related to the attributes as follows: selecting subset I = {i: ρ(i) ∈ S} the attribute set {ρ(i) | i ∈ I} satisfies access control strategy (M, ρ), and computing coefficients k_i, i ∈ I such that ∑_i∈I k_iM_i = (1,0,…, 0), then we will obtain that ∑_i∈I k_iλ_i = s.

Decisional q-BDHE assumption [24]

The definition of the decisional q-BDHE exponent assumption in our article as follows:

Choose a group G₁ of prime order p, let g be a generator of G₁, and define e: G₁ × G₁ → G₂, the adversary is given a vector We say that the Decision q-BDHE assumption holds in G₁ if no polynomial-time algorithm has a non-negligible advantage to distinguish and a random element in G₂.

Zero Inner-product [24]

The ID represents the identity of user which associated with user’s private key. Define a vector X = (x₁,…,x_n)^T such that x_i = ID^i-1, i ∈ [1, n]. To encrypt with a revoked user set R = {ID₁,⋯, ID_q}, one defines as Y = (y₁,…, y_n)^T, the coefficient vector of P_R[Z] from where, if q + 1 < n, the coordinates y_q+2,⋯,y_n are set to 0. By doing so, we note that P_R[ID] = <X, Y> = 0 iff ID ∈ R.

For example, if the user ID₁ in the revoked user set R = {ID₁, ID₃}, we have that .

Decisional DDH assumption [10]

Let G₁ is a group which prime order is p, let g be a generator of G₁, and give a tuple (g, g^a, g^b) where , we say that the decisional DDH assumption holds if no polynomial time algorithm has a non-negligible advantage to distinguish that Z equals g^ab or to a random element of G₁.

Algorithm model and security model

Algorithm model.

Denote U = {ID₁,⋯, ID_Q} to be the universe of all the users, we consider a scheme that searchable attribute-based encryption scheme with attribute revocation in cloud storage, as described in Fig 1. There are seven algorithms in our scheme:

Setup (λ) → msk, pp: This algorithm is executed by attribute authority. It inputs a security parameter λ and outputs the master secret key msk and public parameter pp.

KeyGen (ID, (M, ρ), pp, msk) → sk, τ:This algorithm is executed by attribute authority. It inputs a user’s identity ID ∈ U, an access structure (M, ρ), public parameter pp, the msk and outputs the secret key sk and the part of search token τ.

Encryption (pp, ω, R_θ, m) → ct: This algorithm is executed by data owner. It inputs public parameter pp, the attribute set ω, a revocation list R_θ ⊆ U which attribute θ ∈ ω,a message m and outputs a cipher text ct.

Index (pp, ω, R_θ, W) → Ind: This algorithm is executed by data owner. It inputs public parameter pp, the attribute set ω,a revocation list R_θ ⊆ U which attribute θ ∈ ω,the keywords set from the uploaded files W and outputs keywords index Ind.

Trapdoor (pp, W′, τ) →τ*:This algorithm is executed by user. It inputs the public parameter pp and the keywords set W′, and outputs the new token τ*.

Test (τ*, Ind) → 1 or 0:This algorithm is executed by cloud storage server. It inputs the search token τ*and keywords index Ind and outputs 1 or 0.

Decryption (pp, ID, sk, R_θ, ct) → m: This algorithm is executed by user. It inputs public parameter pp, the user secret key sk of user ID ∈ U, a revocation list R_θ ⊆ U of attribute θ ∈ ω, a cipher text ct. And the user ID has the attribute set ω′ as: if ID ∈ R_θ, let ω′ = ω − {θ};otherwise, ω′ = ω. It computes the message m if and only if the attribute set ω′ satisfies the access structure. And the user can decrypt the file with m.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 1. System model of our scheme

https://doi.org/10.1371/journal.pone.0183459.g001

Finally, the system model of our scheme is shown in Fig 1.

Security model

Implement of the algorithm

Our construction is based on the Qiang Li et al.[24], and we combine the keyword search with attribute revocation in our new scheme. User constructs the search token when he wants to search files. If the search is successful and the set of attribute satisfies the access structure, it outputs 1 in the algorithm of Test, then cloud server returns the cipher text. Our scheme adds access control in search, the user can download the files which he interests and can decrypt in this way, and save the space. We construct our scheme as follows:

Setup (λ) → msk, pp: Give that the G₁ and G₂ are two groups of prime order p, the binary size of p is λ,let g be a generator of G₁. Define that e: G₁× G₁ →G₂. In this paper, we suppose the maximum number of attribute is m when encryption, and n represents the maximum number of revoked user set in the revocation list. Then randomly choose α, β, δ ∈ Z_p, , set and randomly choose {k_0,i, k_1,i ∈ G₁|_{i = 1,…,m}},let . Then randomly choose that {t_0,i, t_1,i ∈ G₁|_{i = 1,…,m}},and then define two functions T_f(x): Z_p → G₁, where f = {0, 1}. Let hash H be H:{0, 1}* → G₁, then the master key msk and public parameter pp are:

KeyGen (ID, (M, ρ), pp, msk) → sk, τ : Let M be an l × k matrix corresponding to access policy (M, ρ). Define a vector X = (x₁,…,x_n)^T such that x_i = IDⁱ⁻¹, i ∈ [1, n]. Randomly choose r, {z_i,0, z_i,1}_i∈[2,…k] ∈ Z_p, define a vector v₀ = (α + rα₁, z_2,0,…, z_k,0)^T, v₁ = (α, z_2,1,…, z_k,1)^T. For i = 1 to l, and compute that λ_i,0 = M_i·v₀ and λ_i,1 = M_i·v₁. Randomly choose {r_i,0, r_i,1}_i∈[1,…l] ∈ Z_p, and set the private key as where

Then calculate that , where M_X ∈ (Z_p)^n×(n−1) is defined by .

Randomly choose and set . For i = 1 to l, compute λ_i = M_i·v. Randomly choose ξ_i ∈ Z_p, then denote that where then send sk and τ to the user.

Encryption (pp, ω, R_θ, m) → ct: Suppose that a message m is encrypted with a set of attribute ω and a revocation list R_θ ⊆ U which attribute θ ∈ ω. Define a vector Y = (y₁,…, y_n)^T as the coefficient vector of , and randomly choose s ∈ Z_p then output where

Index (pp, ω, R_θ, W) → Ind: A revocation list R_θ ⊆ U which attribute θ ∈ ω. Data owner encrypts the file F which is firstly encrypted by a symmetric encryption algorithm and gets cipher text F*, and suppose that the symmetric encryption key is m. The set of keywords W = {w₁, w₂,…, w_N} is extracted from the F, and randomly choose t ∈ Z_p,and output the keywords index where and send <Ind, ct, F*> to the cloud server.

Trapdoor (pp, W′, τ) →τ*: The user constructs the search token τ* according to the keywords which he interests as and sends search token τ* = < τ₁, τ_2,0, τ_2,1, τ₃> and his ID to the cloud server.

Test (τ*, Ind) → 1 or 0: The cloud server receives the search token from the user. First, the cloud server judges that whether the ID of user is in the revocation list R_θ. If ID ∈ R_θ, let ω′ = ω − {θ};otherwise, ω′ = ω. If the set ω′ satisfies the access structure (M, ρ), then there exists a set of constants {μ_i ∈ Z_p}_i∈I, such that .

(1) When ID ∉ R_θ, cloud server selects N₁ keywords index from the Ind, we denote the result of selecting as ,where . Then cloud server tests the selected index set with the search token τ* = < τ₁, τ_2,0, τ_2,1, τ₃> with the following equation If the equation holds, it turns to next step; otherwise, it outputs 0.

If the equations all hold, it returns the corresponding cipher text <ct, F*> to the user, and user can decrypt. Otherwise, it outputs 0.

(2) When ID ∈ R_θ, cloud server selects N₁ keywords index from the Ind, we denote the result of selecting is ,where . Then cloud server tests the selected index set with the search token τ* = < τ₁, τ_2,0, τ_2,1, τ₃> with the following equation

If the equation holds, it turns to next step; otherwise, it outputs 0.

If the equations all hold, it returns the corresponding cipher text <ct, F*> to the user, and user can decrypt. Otherwise, it outputs 0.

Decryption (pp, ID, sk, R_θ, ct) → m: User can decrypt according to the returned cipher text. If ID ∈ R_θ, ω′ = ω − {θ};otherwise, ω′ = ω, and then:

(1) When ID ∈ R_θ, let I = {i: ρ(i) ∈ ω′}, and there exists a set of constants {μ_i ∈ Z_p}_i∈I, such that ∑_i∈I μ_i · M_i = (1,0,…, 0),then ∑_i∈I μ_iλ_i,1 = α. It calculates and m = C / φ, user can decrypt F* to get F with m.

(2) When ID ∉ R_θ, calculate so that when <X, Y> ≠ 0, and then calculate Let I = {i: ρ(i) ∈ ω′}, and there exists a set of constants {μ_i ∈ Z_p}_i∈I, such that ∑_i∈I μ_i · M_i = (1,0,…, 0),then ∑_i∈I μλ_i,0 = α+ rα₁. Thus we have and m = C / A, user can decrypt F* to get F with m.

Correctness analyses

In this subsection, we show that our construction is correct with some appropriate parameters setting.

(1) In the process of search the equation holds, it means that cloud server selects N₁ keywords index from the Ind which we denote ,where is matching the search token of the keywords from the user, then computes that a. When ID ∉ R_θ, compute that b. When ID ∈ R_θ, compute that

(2) The decryption process first calculates

(3) The decryption process calculates:

a. When ID ∈ R_θ b. When ID ∉ R_θ Let A = γ / ϕ = e(g, g)^sα.

Selective security model proof

Theorem1. If an adversary can break our scheme with advantage ε in the selective security model, then we can construct a simulator to solve the Decision q-BDHE problem with advantage .

Proof: This proof bases on [24].

The simulation proceeds as follows. First, the challenger sets

Then the challenger flips a fair binary coin μ: if μ = 0, the challenger sets Z = e(g₁, g_q)^s if μ = 1,then the challenger picks a random element Z from G₂.

Init. The simulator runs adversary . selects an attribute set ω* and a user revocation list ,where θ ∈ ω*, which it wishes to be challenged upon.

Setup. The simulator proceeds as follows:

(1) The simulator randomly chooses α′, β, δ, ∈ Z_p, and then simulator sets that ,implicitly has that α = α′ + α^q+1. Then it randomly chooses , and computes

(2) It sets where m ≤ Q. For k ∈ [1, m], simulator sets , randomly chooses b_k ∈ Z_p and has that and . The simulator sets the n×q matrix B = (b₁|…|b_m|0|…|0), for k ∈ [1, m], it consists by b_k, and q − m columns are 0. Sets Z = (z₁,⋯,z_q)^T ∈ Zⁿ and z_i = a^q+1−i, and implicitly has that A = B·Z + δ where . Define H = (h₁, h₂,…,h_n)^T = g^B·Z·g^δ, for k ∈ [1, m], we have that , so it doesn’t have z_k = a^q+1−k.

(3) It sets ω*′ = ω* − {θ}, randomly chooses two polynomials f₀(x) and f₁(x) of degree m and computes two polynomials as follows:

For i ∈ [0, m], let c_0,i and c_1,i be the ith term of f₀(x) and f₁(x), d_0,i and d_1,i be the ith term of u₀(x) and u₁(x). defines and ,at the same time, simulates {t_0,i, t_1,i}_{i = 1,…,m} where

Finally, gives the public parameters to .

Phase 1. Let M be a p×l matrix, ω*′ doesn’t satisfy the access structure (M, ρ). If ID ∈ R_θ, there is ω*′ = ω* − {θ}; otherwise, ω*′ = ω*. The simulator generates the secret key sk as follows.

(1) When ID ∉ R_θ (in this case, we have ω*′ = ω*), and ω*′doesn’t satisfy the access structure, first defines where π₁ = 1 We have M_i·π = 0 for each i when ρ(i) ∈ ω*. Then the simulator defines two vectors η₀ = (r, η_0,2,…,η_0,l)^T and η₁ = (0, η_1,2,…,η_1,l)^T, and defines that u₀ = α₁ η₀ + απ and u₁ = η₁ + απ, we can compute the first term of u₀ and u₁ are α + rα₁ and α.

i. When ρ(i) ∈ ω*, computes that and randomly chooses r_i,0, r_i,1 ∈ Z_p and computes that ii. When ρ(i) ∉ ω*, computes that and randomly chooses , and sets and , then Then computes that D₃ = g^r, .

(2) When and sets . The simulator randomly chooses r′ ∈ Z_p and sets r = r′ − a^k. Defines A = B · Z+δ, the first term of A is , and computes that randomly chooses and defines η = (α + rα₁, η₂, …, η_l)^T, and for i ∈ [1, p], sets M_i = (x_i,1, x_i,2, …, x_i,l), then computes randomly chooses r_i,0 ∈ Z_p, then As ω*′ does not satisfy the access structure, the simulation of and are the same as the previous case. For {K_i}_i∈[2,n], the simulator can computes by .

Challenge. The adversary submits two messages m₀ and m₁, randomly chooses m_b where b ∈{0,1} to encrypt. Then computes

Then the simulator defines Y = (y₁, ⋯, y_n)^T according to the revocation list and <X_k, Y > = 0 for k ∈[1,m]. And we have that where γ₁ = (y₂, ⋯, y_n)^T, then and computes

Then sends the challenge ciphertext ct* = (C, C₁, C_2,0, C_2,1, C₃) to the adversary . If μ = 0, then Z = e(g₁, g_q)^s, the challenge ciphertext ct* is a valid random encryption of message m_b. If μ = 1, then Z is a random element of G₂, and ct*is also random from the adversary’s view, and ct* contains no information of m_b.

Phase2. Same as Phase1.

Guess. The adversary outputs the guess b′ of b. outputs μ = 0 to guess that Z = e(g₁, g_q)^s if b′ = b; otherwise, outputs μ = 1, and it indicates that Z is a random element in G₂. And the advantage of simulator to solve the q-BDHE problem is

IND-CKA security proof

Theorem 2. Suppose there exists a polynomial-time adversary , which can attack our scheme with advantage ε in the IND-CKA model. We can construct a simulator that can solve the DDH problem in G₁ with probability at lest , where e is constant, and we assume the adversary makes M index queries and T search token queries(it contains N₁ keywords) in each phase[10].

Proof: is given an instance g, g^a, g^b, g^c of the DDH problem in G₁. In the following parts, we construct the cipher text by setting δ = b. The simulation proceeds as follows:

Init. The adversary selects a attribute set ω* and a user revocation list of θ ∈ ω*. is given an instance g, g^a, g^b, g^c of the DDH problem in G₁. Then runs the algorithm to generate the public parameter pp and sends it to adversary .

Phase1. maintains a hash list L = {w_j, α_j, l_j} and randomly chooses α_j ∈ Z_p for keywords w_j with biased coin flip l_j. The list is empty when begins and simulates the hash function as a random oracle. And if the random oracle is queried for a hash of w, searches the hush list L if the w exists in the list.

1. If l_j = 0,the gives that ;
2. If l_j = 1,the algorithm aborts;
3. If the keyword w does not exist in the list, the flips a random coin l ∈ {0,1} so that Pr[coin′ = 0] = σ and σ will be calculated later.
   1. If l = 0, the randomly chooses α ∈ Z_p,and adds < w, α, 0 > to the hush list;
   2. If l = 1, the adds < w, ⊥, 1 > to the hush list.
   3. The repeat the above process.

Keywords index query. If the adversary asks the keyword w_j of index information, searches the hush list L. If l_j = 1, aborts; and if l_j = 0, randomly chooses t ∈ Z_p, let and generates that

Search token query. If the adversary asks the keyword of searching token with the access structure (M, ρ), Let M be a p×l matrix, ω*′doesn’t satisfy the access structure (M, ρ). If , there is ω*′ = ω* − {θ}; otherwise, ω*′ = ω*. searches the hush list L. If , aborts; and if ,let . For i = 1 to l, randomly choose ξ_i ∈ Z_p and generates that

Challenge. The adversary outputs two keywords and , randomly chooses b ∈ {0,1} and searches the hush list L that . If l = 0, aborts; if l = 1, let and computes

Phase2. Same as Phase1.

Guess. The adversary outputs the guess b′ of b, outputs g^c = g^ab if b′ = b; otherwise g^c is a random group element in G₁.

Correctness Analyses. In the above simulation scheme, if the adversary has the advantage of attack our scheme, and then it will be given the keyword w_j of hush value is H(w_j) = g^a rather than the random value H(w_j) = g^aj. Then it can compute that I₁ = g^βH(w)^δ = g^β(g^b)^a, that is I₁ = g^βg^c = g^βg^ab, and computes that g^c = g^ab which means it solves the DDH problem.

Probability Analyses. Suppose that the adversary makes M index queries and T search token queries in each phase, and the probability that will not be terminated in two query phases 1 and 2 is , so the probability that it will not terminated during the challenge step is 1 − σ, so that results in an overall probability that does not abort is . And, through the computes that the maximum is , so the maximum probability is . Thus, if our scheme can be attacked by the adversary with the advantage ε, and the can resolve the DDH problem with advantage .